What lessons should be learned from the Distribute.IT meltdown?
- 24 June, 2011 15:34
Australian Computer Society chief executive, Anthony Wong
As Distribute.IT's server compromise and subsequent acquisition by Netregistry Group this week has shown, companies who are the subject of a hack attack can be taken out of business permanently. The scale of the Distribute.IT disaster raises issues both for customers who use hosting providers to store sensitive business information and for the providers themselves.
That the incident should happen when there is increasing hype around the use of Cloud services, with organisations either hosting assets in the Cloud or using hybrid private/public models, throws into stark relief the legal minefield enterprises face when they rely on another party to store their data.
While Distribute.IT's customers and remaining assets have been transferred, customer data on four servers, along with the backups, has been wiped — forever.
So what can hosting providers do to avoid a similar fate, and what can businesses do to safeguard data?
Australian Computer Society (ACS) chief executive, Anthony Wong, says the Distribute.IT case has some parallels with an incident in the US in 2009, when internet service provider Core IP Networks was raided by the FBI and a multi-tenant server from a data centre was taken to gather evidence in an investigation of an attempt to defraud $US15 million from Verizon and AT&T.
"Unfortunately this disrupted the businesses whose data and information was hosted on the same server," says Wong "One company called Liquid Motors went out of business because it no longer had a system to use."
He says customers should go through service level agreements (SLAs) with a fine tooth combs. "They [customers] need to review those service levels and look at those responsibilities," Wong says.
"Most standard agreements trigger a force majeure or Act of God clause that relieves the affected party of its obligations when disaster occurs. In this case, Distribute.IT could say it was an Act of God because someone hacked the system and it was beyond their control. A customer has to look at that clause because if the system is critical to their business operation; they should negotiate the SLA and contract."
There can be legal hurdles, particularly when using Cloud, such as compliance issues, SLAs and performance, cross-border issues, data protection, privacy and termination.
"There is no law for cyberspace or Cloud computing for the internet in Australia, however there are a number of specific laws that apply such as the Electronic Transactions Acts, Privacy Act 1988, the Cybercrime Act 2001 and the Spam Act of 2003," Wong said.
One issue that is pertinent in the Distribute.IT case is preservation and retention of data, because record retention requirements will not be the same for each organisation.
"It has been asserted there are over 450 separate Acts of Parliament in Australian that contain provisions dealing with retention of records," Wong said.
"Courts are not likely to be very understanding just because your data is in the Cloud."
For people running a business, he says there is an obligation to retain online records for tax purposes.
"In this case with Distribute.IT, it sounds like most of the customers used it for their websites as well as emails. I assume the records of all those transactions are gone due to the data being lost. If the backups are lost, how are they going to comply with data retention and preservation for business records?" he said.
According to Wong, companies needed to look at four key issues with legal compliance including a review of corporate governance and industry regulation requirements, compliance with mandatory disclosures and financial reporting, as well as checking if there were special standards and compliance for the particular industry and being able to comply with data retention requirements during litigation.
"One example is financial services companies must first notify Australian Prudential Regulatory Authority (APRA) before conducting an offshore data transfer," says Wong.
"Financial services companies must demonstrate appropriate risk management and governance procedures where is the potential to compromise such as confidentiality and integrity of sensitive data."
Another common issue faced by businesses when selecting a hosting provider or Cloud service is which country's court system would settle a dispute if the data is stored offshore.
"If a provider is not based in Australia or their data services occur offshore than you need to look at that. The location of their server could trigger cross-border laws even if they are not physically present in those countries. Local laws may override contractual agreements between Cloud providers and customers."
Wong also says it is critical for organisations to understand how their data will be stored, used, managed and protected.
"Most systems create data, so the customer has to talk to the internet service provider [ISP] because ownership of that data is a big thing. Sooner or later, you may have to move to another provider, so are you able to do that?
"In this instance [Distribute.IT] where the supplier goes belly-up and transitions to new provider like Netregistry Group, what happens to their servers? They have to pay to transfer the data to the new servers and what happens if they choose not to continue [with that new provider] can they choose to remove that data?"
Wong cites the Privacy Act 1988's National Privacy Principle 4 (PDF) which mandates that an organisation must "take reasonable steps to protect the personal information it holds from misuse and loss, and from unauthorised access, modification or disclosure."
He advises customers to review a supplier's security policy, because there are different standards of technical security that people adopt. "They need to evaluate those risks and find out who they are and what safeguards the suppliers are providing in terms of safeguards. Are they adequate to meet the needs of the customers?
According to Wong, there is no one-size-fits-all approach, particularly if you are employing a Cloud service given the plethora of models that are evolving — public, private, hybrid, SaaS and IaaS
People need to undertake due diligence with a provider. "You need to fully understand the risks associated with Cloud computing and adopt a risk mitigation approach to Cloud adoption," Wong says.
"Service agreements need to specify those areas the Cloud provider is responsible for and read the fine print for the Cloud computing agreement carefully."
Got a security tip-off? Contact Hamish Barwick at hamish_barwick at idg.com.au
Follow Hamish Barwick on Twitter: @HamishBarwick
Follow Computerworld Australia on Twitter: @ComputerworldAU